this is my first post here. I just installed NoScript - and it does so exactly what I want I'm amazed Great work guys.
Question (I'll simplify the scenario here, I'm not as careless as the following description may sound ):
Let's assume I have a file on my (firewalled) local server. URL: "http://localhost/secret.js". Content:
Code: Select all
secret="i'll never tell anyone"
Code: Select all
...<script src="http://localhost/secret.js"></script><script>alert(secret)</script>...
But how does that work? Does NoScript decide this based on file suffix, or rather on MIME type? What feature is responsible for this (is there an option to turn it on/off)?
(BTW, unfortunately I don't get any message, that the script has been blocked.)
Thanks
Chris
p.s.
I think this feature is so important, it should be integrated by default into every browser, or integrated into the HTML spec. Because it's always possible, that some file lies around on some server, which just happens to be parseable as JavaScript (think Subversion servers etc.). Then the information in the file is easy prey for a CSRF style attack (even with CSRF guards up on all JSON services etc.) This kind of protection doesn't even require complicated rules.